Project Config Best Practices

Without a .env.example file, new contributors don't know what environment variables are required, leading to insecure workarounds like hardcoding values.

Without security-focused ESLint rules, common vulnerabilities like XSS sinks, dangerouslySetInnerHTML, and eval() usage slip through code review.

Without pre-commit hooks that scan for secrets and security issues, developers can accidentally push API keys and passwords to the repository.

A .gitignore that doesn't cover .env files, build artifacts, and IDE configs can lead to secrets or sensitive data being accidentally committed.

npm scripts that fetch and execute remote code, or that embed secrets as shell arguments, are a supply chain and credential exposure risk.

A project without a committed lockfile can install different dependency versions on each machine, making builds non-reproducible and supply chain attacks harder to detect.

Test files with hardcoded real email addresses, phone numbers, or production-like credentials can leak PII and create security confusion.